Blog + News
Prioritizing Data Privacy to Insure your Startup’s Future
Executives at organizations of every size recognize that data privacy and cybersecurity matters must be taken seriously and prioritized by their teams. However, for start-up founders, managing data privacy and cyber security risk can feel like another task in a never-ending line of administrative duties needed to get your business up and running.
In our experience working with startups, we find that most business leaders in their early stages are laser-focused on sales, marketing and fundraising – at times to the detriment of their organization's risk management. Data privacy usually takes a back-seat to revenue-generating deliverables when time and resources are already stretched thin.
But simply put, ignoring your company's data privacy and cybersecurity obligations may undermine everything else that you are working for your startup to achieve.
A single data breach can be fatal to an emerging growth company.
Data breaches create a lack of trust and deter customers and investors from being excited about what your company can offer them.
These privacy issues are now so important - and highly visible, that savvy investors now require issuers to address and remediate any gaps in their data privacy and cyber security plans.
The National Venture Capital Association (NVCA) Model Legal Documents, the nationwide industry standard documents for venture capital (VC) financing, has addressed this in Section 5.13 of the model Investors' Rights Agreement.
In summary, this section provides that businesses do the following within 180 days of closing:
- Identify protected data.
- Implement cybersecurity solutions to protect the data.
- Ensure routine maintenance of cybersecurity solutions
- Require security vendors to provide notification of any incidents.
- Evaluate cybersecurity measures at least annually.
- Educate employees about the proper use and storage of protected data, including training.
What this Section 5.13 of the Investors' Rights Agreement makes clear is that the issuing company is obligated to address their data privacy and cybersecurity risks. Failure to do so can give investors the basis to allege breach of this contract, as well as claims for breach of fiduciary duty. That being said, this language is broad and still leaves a great deal up to the interpretation of the company.
Rather than waiting for conditions to be imposed by investors, all companies - and especially startups, should prioritize and proactively address their data privacy and cybersecurity risks.
In the wide world of continuously evolving data privacy and cybersecurity regulation and requirements, plotting a course to address these issues presents challenges is easier said than done.
To that end, we developed a checklist of things that startup CEOs, COOs, & CFOs should start with:
Snapshot of our Data Privacy and Cyber Security Checklist:
- Protected Data Inventory and Mapping Risk Assessment
- Data Privacy and Security Program plan
- Development and implementation of privacy and security tasks
INDIVIDUAL ARTICLE DISCLAIMER: